I am using magiclinks and email/password B2C authentication.
What is the best way to get a users current email address embedded in their JWT?
Thanks!
I am using magiclinks and email/password B2C authentication.
What is the best way to get a users current email address embedded in their JWT?
Thanks!
Hi Jeremy,
Thanks for posting!
A Stytch JWT will always have the authentication_factors
attribute in the payload (which is viewable if you decode the JWT using any standard library). This means that for Sessions created using Email Magic Links, the authentication_factors
attribute will automatically include the user’s email, e.g.
"authentication_factors": [{ "type": "magic_link", "delivery_method": "email", "last_authenticated_at": "2024-02-26T23:15:05Z", "email_factor": { "email_id": "email-test-12345", "email_address": "sandbox@stytch.com" } }] },
This is not the case for Passwords authentication, however, which look something like this in authentication_factors
:
"authentication_factors": [{ "type": "password", "delivery_method": "knowledge", "last_authenticated_at": "2024-02-26T23:15:43Z" }]
The best way to add email addresses to JWTs consistenty is likely via Session custom claims: https://stytch.com/docs/guides/sessions/custom-claims. Custom claims let you add arbitrary metadata to a session in JSON form, which will persist in both the Session object and any JWTs minted for that Session. For instance, you might add { user_email: <email_address> }
.
You can add custom claims to a Session one of two ways:
/authenticate
call. For instance, you can do this by including the session_custom_claims
parameter when you call our /passwords/authenticate
endpoint./sessions/authenticate
with an existing session (via the session_custom_claims
parameter as well). This may be less desirable in this case, since you may only have access to the user’s email address when they’re logging in (in the case of Password authentication).Happy to answer any other questions you might have about this as well!